Can't RDP from home to my RDS server due to expiration of certificate

Mmh, yes...
And Godaddy hastn't sent you a mail, that the certificate is due to expiring?
Bad...
If you have luck, Godaddy has autorenewed the cert. Then you can download it and install it, I guess on the RD Gateway server.
Otherwise you have to request a new certifiacte. For this you need the logon information for GoDaddy for your company. 
As RDP doesn't work anymore, I guess replacement works only from inside the network.   

Thanks. Tried to do it going through the wizard on Essentials just for fun. Thanks for your suggestion. I have done certificates for my domain name that way, so I am slightly familiar.

When I get to the certificate store, is there a certain folder I choose. There are a few stores there. Again, sorry for my ignorance.

Certioficateds for your server is in then my folder.

Hi,

There are several options here: install an internal PKI and "roll your own" cert, renew the GoDaddy cert or choose an alternative like Verisign or Sertigo (sic Comodo).

Comodo SSL vs GoDaddy — How to Choose the Best SSL Certificate (cheapsslsecurity.com) 
Personally I would avoid GoDaddy and switch unless you have some contractual tie in.

As for where to store the new cert, just put it where the existing one is.

Finally, this (cert expiry) is an issue that trips big and small companies up. Make sure you have reminders and reminders on the reminders for the expiry date to avoid future outages.

Thanks Mike,
Here is my dilemma. The person who set up my network who is in California while I am in Maine is very, very good at what he does. And, he used to be a great person. Unfortunately, he grew tired of working with me and just took his ball and went home, never to speak to me again.
I always thought my domain name was .riverpediatrics.org. It is what I used for email and for my pediatric website. But, apparently, at least for the gateway (which I am not even sure if it is on the RDS VM or the Essentials VM) is xxxxxxpediatrics.remotewebaccess.com. I can see the certification, however I don't know where it is in the certificate store or the subject it is under.
Maybe back when he was ethical, he just set the remotewebaccess under a GoDaddy account and neglected to pay for 10 years or let me know what the account was or set it up under my name. I have no idea what the account is, therefore I can't log into it.
GoDaddy won't take calls on the weekend. Other than showing them I have the certificate, I am not sure they will let me do anything with it anyway.
riverviewpediatrics.org, which as you say, has reminder on top of reminder on top of my reminder and is good for five years at a time is under my domain name company, DomainIT.com.
If I just made another certificate, wouldn't I have to change the remotewebaccess for all of my employees who can remote in to zzzzzzpediatrics.remotewebaccess.com.
Maybe I could PayPal some cash to him in exchange for my username and password to what should be my account. Maybe money talks.

A certificate can have several names inside, so you have to find the cert on your RD Gateway and / or external firewall.
As a domain is usually registered to a company...

riverpediatrics.org is not a registered domain.
remotewebaccess.com is registered by Microsoft
riverviewpediatrics.org is registered by SQUARESPACE (your provider is DomainIT.com)

If you use xxx.remotewebaccess.com for your RD session, than it is routed over a microsoft server, so possibly this server acts as RD gateway, so you have to look onto your server, to which you connect.  
The certificate can be in any folder, the My folder is the most common, but can also be inside Remote Desktop folder.

As certificates usually belong to companies or organizations, you may have to talk to GoDaddy to get control back over the certificate.  

Agreed. But, I do have to pay for https://www.riverviewpediatrics.org every so often. That is my overall domain name at least for websites and emails. Confused, I guess.

Thanks.

Yes, sure you pay for the domain.
But following the certificate it points to a microsoft domain, so possibly not connected to your domain.
But microsoft doesn't use GoDaddy certificates...
It is possible that this is a MS Azure service?

I don't know. Just frustrated that my IT person would even use GoDaddy. He should have let me set up the account in my name. I don't believe this is from Microsoft like the baxxxx.onmicrosoft.com. All in all, it is simply a certificate to allow those who use RDP to remote in from outside the network, to be authenticated. In fact on the login information for RDP.

My bad: when I actually look at the RDP settings for the server name to remote in, it isn't the full domain name. It is:

xxxx.riverviewpediatrics.org. Not sure if I need to mask certain information.

RDP settings.PNG

Unless I hear from the IT person who just left unannounced (maybe I will pay him $100 for the info), I believe I will need to use DomainIT to help. Of course, all of the emails stating it was going to expire went to my IT guy in California. 

riverviewpediatrics.org is your domain and the RDP address is just a server, which is somewhere registered.
You may find out the IP (from external as well from internal) (nslookup xxxx.riverviewpediatrics.org)  to see, if you can identify the machine, there you may also find the cert...

That seems about right. A little over my head but seems right. Just seems like had I simply renewed that certificate, everything would be just fine. But, for that you either have to keep track of it, have auto-renew or receive a couple of warning emails, which of course I didn't get. Of course, if my former IT guy were here, he would agree with all of the above and have it set up perfectly. Personally, I do not care much for this RDS thin client setup. 

@Mike

"Once done, you need a GPO to deploy the new cert to all your machines. Otherwise they will nag."

I am not quite sure what you mean by machines? We are talking about all computers outside the network. 

Maybe if I open an account. I know that when I spoke with GoDaddy this morning and sent a picture of the cert, they said they would be unable to locate it or see it or deal with it or whatever, since I didn't have an account. But, I believe they meant I didn't have an account for them to find the cert.

When I search certlm.msc, then click on Remote Desktop Folder, then certificates, I find a certificate that looks like it would be the one. But, it is not trusted because it ins not stored in the Trusted Root Certification.

Opening the certificate says I have a private key that corresponds to the certificate.

I guess they need a customer number to look into the plan.
Have the imagination that certificate authorities handle millions of certificates, and most of the work is more or less fully automated.

The fast solution maybe - if you can not get the login information - , to create a new account and to order a new certifiacte. But it can happen, that you then pay doubled, if the other certificate is still active.
  

I am pretty sure the other certificate is no longer active. I was thinking of getting a new certificate, but I suppose the RDS server would need a new name. I suppose I need to be careful since the entire network is set up basically like "thick clients" i.e. my name for thin clients which are full pcs which remote to the RDS server.

I did go into the pfSense router and found a place for certificate manager and, of course, gateways.

I spoke with DomainIT, and the support tech I dealt with had no idea what an RDS server was or a certificate only my CNAME and Arec and suggested I use that. I suppose I was either wrong or confused him when I talked about my domain name of riverviewpediatrics.org while my RDS server name was different.
___________________

I suppose the easiest way would be if my former support person who designed this entire network would respond to my email. It didn't bounce back. I would gladly pay him by the hour to locate the cert and private key or whatever it is or just renew or get a new cert. Somehow GoDaddy's name is on the cert along with other certs I can find. I can find no cert that expires on 6/15/2021.

If you look into the expired cert, you find a thumprint. This thumprint is a unique identifier number. Means, two certificates with the same thumprint are identical. So if you search inside your infrastructure for the cert, you have to search for a cert with the same thumprint (what includes same issuer, same validity period etc.)

As you call your RDP session with a xxx.remotewebaccess.com
address, and this domain belongs to Microsoft, my imagination is that it is possibly a MS Azure gateway, so if you use MS Azure, you may even have a look there.

If you can find the former support person, this is the best option as he can also tell you, how the access is constucted, beside the login information for GoDaddy. If you have the account, you can get a new cert in minutes. But you have to know, where to replace the cert. 

@Mike,

"My point about machines nagging is your users (whether at home or in the office) need a certificate on their local machine to ensure trust/security. If the cert is missing it pops a warning up. You can carry on (click OK) but it's annoying. It also trains users to click OK and ignore things they ought not to!"

There are no issues with using RDP on the network machines as they can remote to the RDS server easily. There is no external gateway they must pass through. Believe me, if the machines in the office could not remote to the RDS server where all of their work is done through folder redirection, etc.; I would have to close the office and not see patients and send home my staff as they and I would not be able to work. All of their work is done directly on the RDS servers. I would just shut down and work 24/7 on this issue.

I WILL DEFINITELY read those links that you sent. The issue is I have to work on this between patients. Thanks for all the help.

@Bembi

I have found the thumb prints. Part of my issue for trying to get help from the experts is my using xxx to mask certain address of the RDS server, etc.

Do you think it would be easier if I just used the actual terms rather than xxx.etc. 

The issue I mean is minor. It doesn't stop people getting onto the RDS server at all. It's just a popup that shows a mis-configuration. It doesn't bother most people but it's something to avoid.

I do appreciate your position - it is a case of being up the creek without a paddle or a even canoe...

@Mike

I had gone there prior, but I don't think I hit repair. But, here is the actual problem that it gives as one of the errors:

Anywhere access repair.jpg

It states to go to my domain registrar, but my domain registrar doesn't have it. GoDaddy (which works directly with Microsoft for their remotewebaccess) has it, but I can't access it as it is saved to a different account. I am feeling more and more like I will need to call Microsoft support so they can issue a new license through GoDaddy on an account I open.

But, I don't get a popup warning inside the network. It just doesn't need a remotewebaccess to access the RDS.

This is just an issue for those from home who use the remotewebaccess via RDP to access the RDS.
_________________

Calling Microsoft would cost me something like $500 for a support incident, a high price to pay for something like this.
 I really think that Sandeep could simply remote in and fix it or pay for the cert or let me have access or transfer it to my domain registrar.

Hello Bert,

I guess Mike T is not so war away...
looks like you use the WSE functionality....
So, the gateway as well as the cert is a Microsoft topic.
Save the money for the former support person....

So either you find the "repair" button now for the WSE Remote App, or you expose your RDP yourself.
Last option may be a bit effort, for this you need a new name (connected with your domain), a certificate and some configuration. As your environment is small, the WSE solution may not be the worsest one as I guess that Microsoft takes care about security. If you do it yourself, you have to secure the access yourself. 

Well, I received an email from my IT person who simply said it was a Microsoft made cert and to just run the Certificate Wizard again.  Either way I get the same error message. It did seem somewhere to say reboot the server.

But, if my IT guy says Microsoft should just make a new one if I run the wizard again, then that should do it. But, at least before rebooting it didn't. I sent back a screenshot of the error messages and haven't heard back. I would figure he would at least stay with it until it was fixed. I mean:

IT: Run the Access Anwhere wizard and it will be fixed.
ME: I run the wizard and get error messages.
IT: Should address the error messages. But, so far, nothing.

BTW, what does an average very good IT person make an hour in southern California?

That's an incredible article. Just need to insure I do it step by step correctly. As to the updates, (I read a piece where one update deleted the cert, and they fixed it like a year later with a fix. I tried to download and install and it had two large updates. I noticed my hard drives were a bit small, so I made them larger. Maybe the updates were too big to install or download.
Easy to make the RDS drive larger. A little trickier for me (to do so). I would like to get the downloads and try them. Of course, if it were an update that fixed a previous one, it wouldn't be working.

Maybe I'll do a pointer to a different question. Your answer seems correct though. 

Followed this to the "t". Received an error message at the end that basically said it didn't work. 

Skipping the last paragraph and following the second two here are the screenshots I got after going through the process:

AA steps (1).PNG
AA steps (2).PNG
AA steps (3).PNG
AA steps (4).PNG
AA steps (5).PNG
AA steps (6).PNG

Yes, first at all you need a Microsoft accout to set it up.
The article assumes, that you already have one.
If you create a new one, I'm not sure if you are abel to take over the existing one...
As the domain name is connected with the Microsoft Account, who has created it.
But you are free to create a different name, but then you have to tell it your users.  

Have had a Microsoft Account for years. 

So, you logged on an got the error?

Yep.

Last night I tried it three or four times and Microsoft locked me out. So, I tried it again this morning and was unlocked but it didn't work.

Possibly because the RDName is registered on a different account?
Have you tried to logon to your MS Account independent from the RD setup?

OK, I can log into my account. This is frustrating.

My local users logging on the RDS: username and password for the network
Logging onto Microsoft 365: username and password for the network
Microsoft Partner Network: a unique admin username @ riverviewpediatrics.onmicrosoft.com
Microsoft Account: this must be a personal account. According to Microsoft, it cannot be work or school account.

Therefore I am trying to make this certificate using a personal Microsoft Account (which works when I log into my Microsoft Account).

But, using that account brings me to the same error message. That basically you are screwed.

At this point, it seems that the only entity who could fix this would be Microsoft. But, it seems any time I try to talk to them, it turns into an incident report or support incident.

This is all great that this certificate for Anywhere Access comes from Microsoft and it is free and all. But, I would have no issue paying $100 or more for a certificate from GoDaddy or DomainIT or any of the 10,000,000 domain registrars.

What would be the next logical step?

Forgive me if I am not following. Through all this, I believe that Microsoft provides the certificate using GoDaddy as an intermediary.

The article that you and Mike referenced did have that last scenario which made it sound as though you could select the same certificate again. However, I can't get there due to the the error message. The article by Microsoft seems to explain it rather well.

I have used everything from SBS2003 to 2008 to 2011 and now Essentials and Windows Server 2016 Standard. I guess I have gotten used to Remote Web Access and the other terms they called it in the past.

I have resigned myself to using Microsoft support and paying whatever it costs to obtain Microsoft's free certificate again. I am also perfectly willing to pay DomainIT for a certificate. The whole thing is just weird that one day I would try to remote in with RDP and get a message saying my certificate was expired.

Again, the remotewebaccess.com is a solution built into Windows Essentials as Windows Essentials is not able to provide its own session host (what is needed for users to us RD Services). Due to this, MS implemented this functionality into Windows Essentials to make RD sessions possible.

All other windows versions do not have the RD Webaccess using  remotewebaccess.com as they provide a RD session host. So you can directly expose it to the outside world what is not possible with Windows Essentials.

I just said this, that there are other options. But as it is more complex and needs at least a RD gateway server,they choose for Windows Essentials a more "simpler" method. Even Windows Essentials is constructed as "one server" solution. 

Microsoft will charge the tickets, if it is not bug. If it is a bug, its free of charge.

Hi experts,

I have not forgotten this question. I am just trying some of the ideas out. Thank you for all your help.